Azure Governance

Azure Governance is a portfolio of platform capabilities that helps customers address the need for control at scale without sacrificing developer agility. This includes services like Azure Policy, Azure Blueprints, Azure Resource Graph & Management Groups.

More details about the services are available in the Azure Governance documentation. If you have a technical issue, please open a post on the developer forums through Stack Overflow.

Products that we listen to in this space include: Azure Policy, Azure Blueprints, Azure Resource Graph, Azure Subscriptions and Azure Management Groups

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Ability to query for DNS Zones CNAME type in Azure Resource Graph

    I am able to filter out resources by provider (e.g., 'Microsoft.Network') and higher-level types (e.g., 'Microsoft.Network/dnszones'). However, not all resource types are supported by Resource Graph. For example, DNS Zone record types aren't supported. I would like to get a response for a query like this one:

    az graph query -q "where type =~ 'microsoft.network/dnszones/cname'"

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  2. Limit Portal View

    When applying a Blueprint, have an option to limit what is visible for users to deploy in the Azure Portal

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  3. Azure Policy - Compliance Overview & Non-Compliant Resources Details

    On the "non-compliance resources" view and also the detailed "resource compliance" blade need to show more details on the policy rule that was not compliance (e.g. what field, expected values, actual values)

    For example, if I have a policy that checks for a tag existence, which has a parameter of tagName, then have an initiative which has that policy linked 4 times with different tagName parameters, you can't tell which is which or what the actual values of the resource evaluated were.

    6 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  4. Not be able to create exemptions as an evasion for policies assigned to a management group

    When assigning a blueprint with resources and policies (e.g. "Allowed Locations for resource groups" to a Management Group, currently the owner of the subscription cannot delete the assigned policies, but he can still make policy exemptions for those assigned policies so this way he can evade the assigned policies.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  5. 5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  6. Blueprints and ARM Complete mode

    Today, without the ability to specify complete mode deployments, we struggle undoing items from ARM templates. As blueprints change over time, would make our lives much easier if we didn't need to drop into Azure CLI or REST to undo changes

    https://github.com/neilpeterson/azure-blueprints-pipeline-tasks/issues/66

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  7. Azure Policy: Custom Rules

    AWS Config has the ability to define custom rules, where the rule evaluation is run within a lambda function: https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules.html

    It would be nice if Azure Policy had an equivalent capability--that way, arbitrarily complex evaluations could be defined by using a language such as python instead of being limited to what the policy definition's JSON language supports

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  8. Azure Policy Initiatives - allow Policy exclusion changes

    An initiative contains multiple policies, and need to be able to exclude application of a child policy while maintaining enforcement of the other policies within. Today, it is 'all or nothing' application of the initiative.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    planned  ·  0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  9. Include expanded instance view information into virtual machines response

    It would be very useful to include properties.instanceView into base response for 'Microsoft.Compute/virtualMachines'. It's not efficient enough to get instance statuses for each machine in separate API call. Moreover I didn't find an ability to retrieve this property via GraphAPI at all.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  10. Azure policy effect "deny" doesn't work on API call"delete"

    Hello,

    Currently Azure policy effect "deny" doesn't work on API call "delete". This creates issues when cx's create policies with deny effect. For example, when we try to create a policy which prevent users from disconnecting "VNET INTEGRATION", the operation which takes place is Delete(Microsoft.Web/sites/networkconfig/virtualNetwork).

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  11. View changes across all resources

    Ability to see which Azure resources changed over a time period

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  12. Allow blueprints to register services within subscriptions

    Currently the only way to register all services for a subscription, if the users dont have owner or contributor roles on them, is to run a shell command for every single subscription to register all services. Being able to do this within a blueprint would save a great amount of time when building out tenants.

    5 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  13. Evaluate a condition of Azure policy rules from powershell / az cli

    When creating policies it would be convenient to test our condition locally by targeting a specific resource group for exemple.

    Currently we should create the policy and assign it and wait for the the result.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Policy  ·  Flag idea as inappropriate…  ·  Admin →
  14. I'd like to leverage the resource graph explorer tool to be able to analyse cost and expenditures.

    I want to be able to create graphs that show details on cost and expenditures.
    how much are resources X costing me, if i make these changes how will that price change, so on and so on .

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow for blueprint access on management groups without seeing all other subscriptions beneath it

    We want to give access to blueprints on management groups without the user seeing all other subscription below that management group.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support Optional Blueprint Parameters

    Currently, all Blueprint Parameters require a value to be entered. Please support optional parameters for Blueprints. There are numerous use cases for this:


    • Deploy a VM standalone or in an Availability Set.

    • Add additional tags to resources.

    • And so on...

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  17. Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.

    Exclude resource groups and/or resources when deploying a blueprint like you can with policy assignments under policy.

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  18. Resource Changes: Track resource move

    Create a change log when a resource is moved to a different resource group and maintain its history from before it moved

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  1 comment  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  19. Ability to query for custom role definitions in Azure Resource Graph

    Please add support for listing all custom role definitions

    Resource Type: Microsoft.Authorization/roleDefinitions

    https://docs.microsoft.com/en-us/azure/templates/microsoft.authorization/2017-09-01/roledefinitions

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    under review  ·  0 comments  ·  Azure Resource Graph  ·  Flag idea as inappropriate…  ·  Admin →
  20. Allow use of resourceGroup() functions within a resource group artifact

    When using an ARM template artifact within a resource group artifact, allow us to use the resourceGroup() functions, like respourceGroup().location. Currently, we receive the error: Error: 'The function 'resourceGroup' is not valid.'

    4 votes
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Azure Blueprints  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base